Hash: SHA512

On 09/21/2015 06:02 PM, William Hay wrote:
> So having acquired a whole bunch of peers for my keyserver I'm now 
> thinking about adding hkps support and becoming part of 
> hkps.pool.sks-servers.net.  I've got a couple of queries though. 
> 1.I'll probably want to share the port 443 with other sites.  Can
> one assume that SNI is supported by hkps clients or is there
> another mechanism recommended for hkps sharing a port?

Yes, you can assume SNI

> 2.Presumably I need to create a CSR for hkps.pool.sks-servers.net 
> rather than my own server name since that is what people will be

CN should be server name, the pool addresses are added as SANs

> trying to connect to.  Is there any preference with regard to 
> SubjectAltName vs CommonName or both?  The modern practice seems
> to

You add CN, I add the SANs when certifying

> be to use SubjectAltName but backward compatibility seems to be an 
> important part of the keyserver world.

Not for HKPS part, people should use up to date TLS libraries or
security is broken, but more practically it is the only way to support
using port 443 for most administrators that have shared services.
> 3.Are there any conventions regarding what should go into other 
> fields of the DN when creating one's CSR?

I should probably know this by heart, but don't have the config file
around atm; to be safe include CN, O, ST, C

> 4.Assuming I want to turn on HSTS I presumably need to install and 
> configure sslh to front port 443.  Anything else that might catch
> me out?
> William
> _______________________________________________ Sks-devel mailing 
> list Sks-devel@nongnu.org 
> https://lists.nongnu.org/mailman/listinfo/sks-devel

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"A ship is safe in harbour, but that's not what ships are for"
(Will Shedd)


Sks-devel mailing list

Reply via email to